Seoul: On April 7, a model few have seen began to reshape how states think about security. Anthropic's new AI model, dubbed "Mythos," was withheld from public release but nonetheless revealed a disquieting capability. It identified software flaws that had remained hidden for nearly three decades and could exploit them without human input.
According to Yonhap News Agency, the fundamental shift is one of velocity. Tasks once requiring days of expert labor now take minutes. This compresses the margin on which cyber defense has long depended. Security has relied on a delay between discovery and exploitation, giving defenders space to respond. Mythos reduces that buffer to near zero. Its ability to combine multiple weaknesses into coordinated attacks extends techniques once limited to elite hackers. The emergence of "vibe hacking," where nonspecialists generate exploits using artificial intelligence, signals a wider diffusion of offensive power.
Governments have reacted with unusual speed. The US government convened officials and industry leaders. Financial regulators in the US and UK called emergency meetings with major banks. Their concern is not groundless. If AI can autonomously identify and exploit vulnerabilities, infrastructure from payment systems to energy networks becomes more exposed. Tests suggest Mythos has already uncovered severe flaws in widely used operating systems and software libraries, including bugs undetected for 27 years.
Technology firms have responded by closing ranks. Through Project Glasswing, companies including Google, Apple, and Microsoft are using early access to strengthen defenses before similar tools spread. The aim is preemption. If vulnerabilities are fixed before exposure, the cost of launching an attack rises. Security shifts from postbreach repair to prevention.
South Korea enters this shift with structural weaknesses. Its security architecture has long relied on installation-based software embedded in user devices. Once seen as protective, these layers have often created additional entry points. Global standards have moved toward browser-based encryption and passkeys, yet Korea's legacy systems remain entrenched. In an AI-driven threat environment, such rigidity carries risk.
Even without AI-driven attacks, Korea's security architecture already shows vulnerability to simpler failures. The implications of autonomous exploitation are harder to dismiss. More significant is Korea's absence from emerging security alliances. No domestic firm is included among the small group granted early access to tools like Mythos. This is not merely a commercial gap. It limits the ability to identify and fix vulnerabilities before they are widely exposed. As advanced models become central to both attack and defense, access itself becomes strategic.
The geopolitical dimension sharpens the challenge. Comparable capabilities are expected to emerge beyond the US within months, including in China. This raises the prospect of an AI arms race in which cyber tools resemble a form of digital strategic weapon. Calls for a nonproliferation framework are growing, though difficult to realize. Unlike nuclear technology, AI is harder to contain and largely driven by private firms.
For Seoul, the implications are immediate. Security cannot remain a regulatory afterthought or a secondary investment. It must be treated as core national infrastructure. The government's security policy should include accelerating sovereign AI development as a defensive asset and deploying real-time, AI-based protection systems capable of acting at machine speed. Mechanisms such as automated transaction halts may become essential.
Participation is equally critical. Standards for AI security will be shaped by those involved in their design. Staying outside these frameworks leaves Korea a rule-taker, not a rule-maker. The Mythos moment does not guarantee disruption, but it narrows the margin for error. Over time, AI may strengthen defenders by enabling more rigorous testing. However, the outlook for the near term is less forgiving. When the speed of attack exceeds the pace of response, outcomes will hinge on preparation. The deeper vulnerability lies not only in code, but in how quickly institutions adapt.